Service Control Policies
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Mastering Service Control Policies (SCPs) in Cloud Security
Introduction: The Foundation of Guardrails
In the landscape of modern cloud architecture, managing permissions across hundreds of individual accounts can quickly become a nightmare. As organizations scale, the "least privilege" principle—the practice of giving users and services only the access they absolutely need—becomes difficult to enforce manually. This is where Service Control Policies (SCPs) come into play. An SCP is a type of policy that allows you to set the maximum available permissions for accounts in your organization. Think of them not as a way to grant permissions, but as a way to define the boundaries of what is possible within an account.
Why does this matter? Imagine a scenario where a developer accidentally makes an Amazon S3 bucket public, or a compromised credential allows an attacker to delete logs across your entire production environment. Without a central control mechanism, you are relying on the individual configuration of every single account. SCPs provide a "safety net" or "guardrail" that sits above your Identity and Access Management (IAM) policies. Even if a user has "Administrator" access within a specific account, an SCP can explicitly forbid them from deleting specific resources or accessing specific regions. By mastering SCPs, you move from a reactive security posture to a proactive, governance-driven model that prevents unauthorized actions before they ever happen.
Understanding the Hierarchy of Permissions
To truly grasp how SCPs work, you must understand their position in the hierarchy of authorization. In most cloud environments, authorization is an additive process, but SCPs introduce a restrictive layer that filters the final result. When a request is made, the system evaluates all applicable policies. If any policy explicitly denies the request, the action is blocked, regardless of what other permissions exist.
SCPs do not grant permissions. If you create an SCP that allows full access to all services, you have effectively done nothing, because the users within those accounts still need individual IAM policies to perform their tasks. Instead, SCPs act as a filter. If an IAM policy grants "Full Access" but an SCP denies "DeleteBucket," the delete action will fail. This distinction is critical for architects to understand: IAM is for granular, day-to-day access control, while SCPs are for high-level, organizational guardrails.
Callout: SCPs vs. IAM Policies It is common to confuse SCPs with IAM policies. The primary difference is the scope and intent. IAM policies are attached to users, groups, or roles and determine what a specific identity can do. SCPs are attached to Organizational Units (OUs) or individual accounts and determine the maximum boundary of what can be done in that account. IAM is the "gas pedal" that provides access, while the SCP is the "speed governor" that limits how fast you can go.
The Mechanics of SCP Structure
An SCP uses the same JSON-based syntax as standard IAM policies. It consists of a version, a statement, an effect (Allow or Deny), and the specific actions and resources involved. However, because SCPs define boundaries, they are almost exclusively used with "Deny" effects. If you use an "Allow" effect in an SCP, you are essentially saying, "Only these actions are permitted, provided the user also has the corresponding IAM permissions."
Basic JSON Structure of an SCP
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegionAccess",
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
In the example above, the policy denies the ability to launch EC2 instances in any region other than us-east-1 or us-west-2. Even if an administrator account tries to launch a server in eu-central-1, the request will be rejected. The Sid (Statement ID) is a human-readable identifier that helps your team understand the intent of the policy. The Condition block is where the real power of SCPs lies, allowing you to enforce geographic, temporal, or resource-based constraints.
Implementation Strategy: Step-by-Step
Implementing SCPs is a process that requires caution. Because they can block access for your entire organization, you should never apply them to production environments without rigorous testing.
Step 1: Enable All Features
Before you can use SCPs, you must ensure that your organization has "All Features" enabled. If you are using an organization with only "Consolidated Billing" enabled, SCPs will not be available. You can check this in your organization's dashboard.
Step 2: Create a Sandbox OU
Never apply a new SCP directly to your root or production organizational units. Create an OU specifically for testing. Move a non-production account into this OU to verify that the policy behaves as expected without disrupting your business operations.
Step 3: Draft the Policy
Write the JSON policy based on your requirements. Use the principle of "least privilege" to define the boundaries. For example, if you want to prevent members from leaving the organization, create a policy that denies organizations:LeaveOrganization for all principals.
Step 4: Attach and Test
Attach the policy to your test OU. Log into the member account and attempt to perform the restricted action. If the action is denied, the policy is working. If the action is still allowed, check your IAM permissions and the SCP structure for syntax errors.
Step 5: Rollout
Once testing is complete, incrementally attach the policy to other OUs, starting with development, then staging, and finally production.
Common Use Cases and Real-World Examples
1. Preventing Resource Deletion
In large organizations, accidental deletion of critical infrastructure is a major risk. You can use an SCP to prevent the deletion of specific resources, such as CloudTrail logs or IAM roles.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreventLogDeletion",
"Effect": "Deny",
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-secure-audit-logs/*"
}
]
}
2. Enforcing Regional Compliance
Many industries are subject to data sovereignty laws that require data to be stored within specific geographic boundaries. SCPs are the most effective way to ensure that no developer accidentally creates resources in a forbidden region.
Tip: Monitoring with CloudTrail Always pair your SCPs with CloudTrail logging. When an SCP blocks an action, the event is recorded in the CloudTrail logs of the member account. This allows you to identify users or automated processes that are frequently hitting these "guardrails" and adjust their workflows accordingly.
3. Restricting High-Cost Services
If you have a strict budget, you may want to prevent users from spinning up high-cost services, such as large GPU-based instances or specialized database clusters, without prior approval. By creating an SCP that denies ec2:RunInstances for specific instance types (using a condition), you can ensure that only authorized infrastructure is deployed.
Comparison of Policy Types
| Feature | SCP | IAM Policy | Permission Boundary |
|---|---|---|---|
| Scope | Organization/OU/Account | User/Role/Group | User/Role |
| Effect | Restrictive (Max boundary) | Additive (Grants access) | Restrictive |
| Primary Use | Governance/Guardrails | Access Control | Delegation |
| Can Grant Access? | No | Yes | No |
Best Practices for Managing SCPs
1. Start with an "Allow All" Policy
When you first enable SCPs, the default is that everything is allowed. This is the safest way to start. Only add "Deny" statements once you have identified a clear security or compliance requirement. Do not start by trying to whitelist every single service, as this is incredibly difficult to maintain and will likely break legitimate workloads.
2. Keep Policies Small and Focused
Instead of creating one massive, monolithic SCP that covers every restriction, create smaller, modular policies. For example, have one policy for "Regional Restrictions," one for "Service Restrictions," and one for "Resource Protection." This makes it much easier to troubleshoot issues when a team reports that they cannot access a specific service.
3. Use the "Dry Run" Approach
Always test policies in a dedicated sandbox account. Because SCPs affect everyone in the OU, including the root user of the member account, a poorly written policy can lock you out of an account entirely. Always ensure you have a "Break Glass" account (an account that is not subject to the SCPs) to regain control if you make a mistake.
4. Document Your Policies
Since SCPs are applied at the organization level, they are often invisible to the developers working within a member account. If a developer receives an "Access Denied" error, they may spend hours checking their IAM policies, unaware that an SCP is the culprit. Documenting your policies in a central wiki or repository is essential for team transparency.
Warning: The "Deny" Trap Be extremely careful when using
Denystatements that include theAdministratorAccessrole. If you apply a policy that denies all actions to a specific resource, and you accidentally include the "Admin" role in that restriction, you may effectively lock yourself out of the management of that account. Always test thoroughly before applying to production.
Common Pitfalls and How to Avoid Them
The "Over-Restriction" Problem
The most common mistake is applying a broad "Deny" policy that inadvertently blocks essential services. For example, if you deny all S3 actions to save costs, you might inadvertently break the ability for your instances to boot up if they rely on S3 for scripts or configuration files.
- The Fix: Always audit the dependencies of your services before applying a global "Deny." Use the "Policy Simulator" tools provided by your cloud provider to test how a policy will affect specific actions.
Ignoring the Management Account
SCPs do not apply to the management account of your organization. This is a common point of confusion. If you are testing an SCP, you must apply it to a member account to see it in action. If you test it in the management account, it will appear to have no effect.
Lack of Versioning
SCPs are not versioned by default. If you make a change to a policy, it is applied immediately. If that change is incorrect, you have to manually roll it back.
- The Fix: Store your SCPs in a version control system like Git. Treat your infrastructure as code. When you need to update an SCP, update the JSON file in your repository, run it through a CI/CD pipeline for testing, and then deploy it via API or CLI.
Advanced Concepts: Using Conditions Effectively
The true power of SCPs lies in the Condition block. You can create highly specific rules that adapt to the context of the request.
Example: Enforcing MFA
You can create a policy that denies any action unless the user is authenticated via Multi-Factor Authentication (MFA).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnforceMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
This policy is powerful because it allows users to perform the specific actions required to set up MFA, but denies everything else if MFA is not present. This is a classic example of using a "Deny" policy to enforce a security standard across an entire organization.
Troubleshooting SCP Issues
When things go wrong, the first step is to determine if an SCP is actually the cause of an "Access Denied" error.
- Check CloudTrail: Look for the
AccessDeniederror in the logs. If the error includes the name of an SCP, you have found your culprit. - Examine the IAM Policy: Verify that the user or role actually has the permission granted in IAM. If they don't have it in IAM, the SCP is irrelevant.
- Review the SCP Hierarchy: Remember that SCPs are cumulative. If you have an SCP attached to the root, the OU, and the account, all of them are evaluated. An explicit "Deny" anywhere in that chain will block the request.
- Check for "Deny" Overrides: Remember that in AWS, there is no "Allow" that overrides a "Deny." If you are confused about why an action is blocked, search for any "Deny" statement in your policies that matches the action.
The Role of SCPs in Compliance and Auditing
For organizations in regulated industries (such as finance, healthcare, or government), SCPs are not just a security tool; they are a compliance requirement. Auditors will often ask how you ensure that no data leaves a specific region or that no unauthorized personnel can modify audit logs.
By using SCPs, you can provide a "policy-as-code" document to auditors that clearly demonstrates your guardrails. You can show that, mathematically, it is impossible for a user to perform an unauthorized action because the SCP prevents it at the platform level. This significantly reduces the burden of manual audits and provides a high level of assurance.
Integrating SCPs into Your CI/CD Pipeline
If you are managing your infrastructure as code, you should also be managing your SCPs as code. Do not manually edit policies in the console. Instead, keep them in a repository.
Suggested Workflow:
- Develop: Write the policy in JSON.
- Validate: Use a linter or a tool to check for JSON syntax errors.
- Simulate: Use an IAM policy simulator to check if the policy correctly denies the intended actions.
- Deploy: Use a script or an infrastructure-as-code tool (like Terraform or CloudFormation) to apply the policy to the target OU.
- Monitor: Use an automated script to periodically check if the actual state of the SCPs in your organization matches the desired state in your repository. If there is a drift, alert the security team.
Future-Proofing Your Security Architecture
As cloud platforms evolve, new services and features are added constantly. A common challenge is that a new service might be released that you didn't account for in your SCPs.
- Review Regularly: Schedule a quarterly review of your SCPs. Are they still relevant? Have new services been introduced that require an update to your policy?
- Use Wildcards Carefully: While you can use wildcards (e.g.,
s3:*) to define actions, be careful. If you use a broad wildcard, you might accidentally allow access to a new feature of that service that you intended to restrict. - Adopt an "Explicit Deny" mindset: Instead of trying to maintain a list of what is allowed, focus on maintaining a list of what is strictly forbidden. This is much easier to manage as your organization grows.
Key Takeaways
- SCPs are Guardrails, Not Permissions: They define the maximum boundary of what is possible in an account. They cannot grant access that isn't already provided by IAM.
- Deny is King: SCPs are most effective when used as "Deny" policies. They act as a filter that blocks unauthorized actions regardless of any other permissions.
- Hierarchy Matters: SCPs are inherited. If you apply a policy at the root level, it applies to every account in your organization. Always test in a sandbox OU first to avoid widespread disruption.
- Transparency is Essential: Because SCPs are invisible to the end-user, ensure that your team is aware of the guardrails in place. Document your policies and provide clear error messaging when a request is blocked.
- Infrastructure as Code: Treat SCPs like any other piece of critical infrastructure. Store them in version control, test them in a pipeline, and audit them for drift.
- The "Break Glass" Strategy: Always maintain at least one account that is exempt from your most restrictive SCPs. This ensures you can regain control if you accidentally lock yourself out of your environment.
- Focus on High-Risk Actions: Start your SCP journey by protecting the most critical resources: audit logs, root account access, and regional data residency. Do not try to solve every problem at once.
By following these principles, you can build a secure, scalable, and compliant cloud architecture that empowers your developers while keeping your organization's data safe from accidental or malicious exposure. Remember, security is a journey, not a destination; your SCPs should evolve alongside your business needs and the changing landscape of the cloud.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons